The September 2022 unauthorised disclosure of work-in-progress footage from Grand Theft Auto VI is widely regarded by mainstream press as one of the largest leaks in the history of the video game industry (MacDonald, 2022; Tidy, 2023a). The episode, and the subsequent secondary dissemination of materials in December 2023, were not isolated curiosities; they sat within a broader pattern of intrusions attributed to the extortion-focused collective Lapsus$, whose members had already breached Nvidia, Samsung, Microsoft, Okta, Ubisoft and Uber during the preceding eighteen months (Wikipedia, 2025a; CISA, 2023). The present report draws together publicly reported facts in a single chronological frame, beginning with the pre-leak context that shaped Rockstar Games' operational posture, proceeding through the initial breach, the trial and conviction of Arion Kurtaj, the Christmas 2023 secondary dump, the 2024 aftermath, and the May 2025 trailer that fans interpreted as a knowing self-reference. Where outlets disagree on dates or framing, those divergences are noted. The report is written in formal British English and confines itself to material already in the public record; it does not attempt to reproduce, characterise in technical detail, or extend the leaked content beyond what mainstream journalists have already published.
Reporting by Bloomberg's Jason Schreier indicates that preliminary work on Grand Theft Auto VI began at Rockstar Games in 2014, with substantive development commencing in late 2018 after the release of Red Dead Redemption 2 (Wikipedia, 2025b). Principal production reportedly started around 2020 under the internal code name Project Americas, and Rockstar formally confirmed development was "well underway" on 4 February 2022 (Wikipedia, 2025b). During the same window, Lapsus$ β a hacker group later identified by Microsoft as "DEV-0537" or "Strawberry Tempest" β was making a name for itself with a string of high-profile intrusions. The Wikipedia entry on the group, drawing on Reuters, The Verge, Krebs on Security and Wired, records the following pre-Rockstar attack cadence: Brazil's Ministry of Health (December 2021); Okta (January 2022, disclosed March 2022); Nvidia (FebruaryβMarch 2022); Samsung (March 2022); Mercado Libre (March 2022); Ubisoft (March 2022); T-Mobile (March 2022); Microsoft (March 2022); and Globant (March 2022) (Wikipedia, 2025a; Goodin, 2022; Clark, 2022). On 24 March 2022 the City of London Police arrested seven people aged between 16 and 21 in connection with the group (Peters, 2022). One of the principals, an Oxford teenager later named in open court as Arion Kurtaj, was charged on 1 April 2022 (BBC, 2022a). On 15 September 2022, three days before the Rockstar disclosures, Uber announced it had been breached by a hacker subsequently linked to Lapsus$ (Reuters, 2022; Kan, 2022). That sequence β and Uber's public acknowledgement of FBI engagement β formed the immediate context for what followed.
On Sunday 18 September 2022, an account using the handle "teapotuberhacker" published a post to the long-standing fan community GTAForums containing approximately 90 video clips of work-in-progress footage from Grand Theft Auto VI, totalling roughly 50 minutes (Wikipedia, 2025b; MacDonald, 2022). The Wikipedia article, citing The Guardian, The Verge, Kotaku, PC Gamer and IGN, reports that the footage spanned animation and gameplay tests, level layouts, character conversations and scenes featuring the two protagonists later confirmed as Lucia and Jason (Wikipedia, 2025b). Bloomberg's Jason Schreier independently verified with Rockstar sources that the material was genuine (Clark, 2022; Wikipedia, 2025b). The poster claimed responsibility for the prior week's Uber breach and asserted that they had taken the files directly from Rockstar's internal Slack workspace; they further threatened to release source code, internal builds and additional assets for Grand Theft Auto V and VI if a deal could not be reached (Wikipedia, 2025b).
Within roughly twenty-four hours, Take-Two Interactive launched a wave of takedown notices against re-uploads of the footage on YouTube, and contacted moderators on GTAForums and Reddit to suppress redistribution (MacDonald, 2022; Wikipedia, 2025b). On 19 September 2022 Rockstar Games issued a public statement confirming a "network intrusion", lamenting the way in which the title had first been demonstrated to the public, and stating that it did not anticipate long-term effects on development (Wikipedia, 2025b). Take-Two added that steps had been taken "to isolate and contain this incident" (Wikipedia, 2025b). Take-Two's share price reportedly fell by more than six per cent in pre-market trading before recovering during regular trading hours after the statement was released (Wikipedia, 2025b). Rockstar disabled comments and replies across its social media channels in the days that followed (Wikipedia, 2025b).
On the same day, Uber publicly tied its own 15 September breach to the same actor and stated that it was working with the Federal Bureau of Investigation and the United States Department of Justice. Uber reported that it believed the hacker to be affiliated with Lapsus$ (Robinson, 2022; Wikipedia, 2025a). Video Games Chronicle reported Uber's reference to a "potential GTA 6 hacker" on 19 September 2022 (Robinson, 2022).
According to BBC News, Kotaku, Video Games Chronicle and the later court proceedings summarised by BBC cyber correspondent Joe Tidy, a 17-year-old from Oxfordshire β subsequently identified at trial as Arion Kurtaj β was arrested by the City of London Police on 22 September 2022, with support from the National Cyber Crime Unit and US federal law enforcement (Tidy, 2023a; Wikipedia, 2025b). Reporting from BBC News makes clear that at the time of the Rockstar intrusion, the teenager was already on bail in connection with earlier hacks against EE and Nvidia and was under police protection at a Travelodge hotel in Bicester (Tidy, 2023a). The court later heard that the intrusion into Rockstar was carried out from that hotel room using a mobile phone, a television and an Amazon Fire TV Stick (Tidy, 2023a). The same reporting describes a message that was sent through Rockstar's internal Slack β addressed to all staff β in which the attacker stated, "I am not a Rockstar employee, I am an attacker," and threatened to release source code if Rockstar did not make contact within 24 hours (Tidy, 2023a).
The Wikipedia article aggregates contemporaneous responses from CNET, TheGamer and IGN, all of which described the event as one of the biggest leaks in video game history (Wikipedia, 2025b). Schreier characterised the situation as "a nightmare for Rockstar Games" and suggested it could constrain employees' remote-work flexibility (Wikipedia, 2025b). Jefferies analyst Andrew Uerkwitz framed the event to investors as a public-relations disaster with the potential to delay the game and erode staff morale, but considered it unlikely to harm eventual reception or sales (Wikipedia, 2025b). Notably, The Guardian observed that the footage was being widely criticised "by ill-informed users" due to its unfinished quality, and a number of developers β including Cliff Bleszinski, Neil Druckmann, Rami Ismail and Alanah Pearce β publicly shared work-in-progress footage from their own projects in solidarity (MacDonald, 2022; Wikipedia, 2025b).
In the months that followed, Take-Two's public position remained largely consistent: chief executive Strauss Zelnick acknowledged that the breach had affected staff emotionally and prompted a more cautious posture on cybersecurity, but maintained that the business was unaffected (Wikipedia, 2025b). Rockstar later told the court that the incident had cost the company roughly five million US dollars and thousands of staff hours to remediate (Tidy, 2023b). On 19 October 2022, Brazilian Federal Police arrested an individual in Feira de Santana, Bahia, accused of involvement in Lapsus$ attacks against the Brazilian Ministry of Health and other targets under "Operation Dark Cloud" (Gatlan, 2022; Wikipedia, 2025a). Sources are consistent that this Brazilian arrest is separate from the UK investigation that produced charges against the Oxfordshire teenager and his 17-year-old co-defendant.
The trial of Arion Kurtaj and an unnamed 17-year-old co-defendant opened in mid-2023 at Southwark Crown Court in London and ran for approximately seven weeks (Tidy, 2023a; Wikipedia, 2025a). Twelve offences were on the indictment, including six counts of computer misuse, three of blackmail and two of fraud (Wikipedia, 2025b). Because Kurtaj is autistic and was deemed unfit to stand trial by psychiatrists, the jury was not asked to determine criminal intent; instead, under English procedure for defendants found unfit to plead, the jury determined whether he had committed the acts alleged (Tidy, 2023a). On 23 August 2023, BBC News reported that the court had found that both teenagers carried out the hacking spree (Tidy, 2023a). Notable findings reported by the BBC included the use of SIM-swap material to drain approximately Β£100,000 in cryptocurrency from five victims, a $4 million ransom demand to BT and EE in August 2021, the Nvidia intrusion in February 2022, and the "most audacious" act β the Rockstar Slack message β carried out while Kurtaj was on bail in the Bicester Travelodge (Tidy, 2023a). The US Cyber Safety Review Board's August 2023 report on Lapsus$ described members as "juveniles, in some instances" and warned that defences needed to improve against the rising threat of teenage extortion crews (CISA, 2023).
On 21 December 2023, BBC News reported that Kurtaj had been handed an indefinite hospital order by Her Honour Judge Lees, on the basis that he remained a high risk to the public and had expressed an intent to continue offending (Tidy, 2023b; BBC, 2023). Eurogamer, The Verge and The Guardian covered the same disposition; minor wording differences appear between outlets (for example, "indefinite hospital order" versus "indefinite stay in a secure psychiatric facility"), but the substance is consistent (Wikipedia, 2025a; Wikipedia, 2025b).
Public reporting indicates that on or about 25 December 2023, additional material from the original 2022 intrusion began circulating online. Game Rant's rumour-tracking piece by Md Armughanuddin, dated 25 December 2023, is the most frequently cited primary press reference for this secondary dispersal, and is the source used by both the Wikipedia Lapsus$ entry and the Grand Theft Auto VI entry (Armughanuddin, 2023; Wikipedia, 2025a). According to that publicly reported summary, the additional material was reported to include game files relating to a planned follow-up to Bully, Python code associated with Grand Theft Auto VI, and the source code for Grand Theft Auto V, with the latter reportedly containing hints about previously-planned downloadable content (Armughanuddin, 2023; Wikipedia, 2025a). The present report deliberately does not enumerate, name or describe specific files, asset names, internal identifiers or any technical content beyond what those mainstream summaries provided. The timing β falling on Christmas Day, while Kurtaj's hospital order was less than a week old β was widely remarked upon. Where outlets diverge, the disagreement is principally one of attribution rather than content: it remained unclear in public reporting whether the secondary dispersal was carried out by a confederate, by someone who had purchased or otherwise obtained the original cache, or by a copycat β Game Rant explicitly labelled the story a "rumor" at the point of publication (Armughanuddin, 2023).
Mainstream reporting in 2024 was less dramatic than the 2022β2023 sequence. The principal narrative threads in the public record include: Rockstar's instruction, reported by Bloomberg and IGN from April 2024, that employees cease remote working and return to offices "for productivity and security" during what was described as "the final stages of development" (Wikipedia, 2025b); criticism of that decision by the Independent Workers' Union of Great Britain (IWGB), which argued it contradicted earlier flexible-working assurances (Wikipedia, 2025b); and Kotaku's reporting that the decision was understood internally as partly intended to avoid a delay (Wikipedia, 2025b). The CSRB's August 2023 review (CISA, 2023) continued to be cited through 2024 as the authoritative public summary of Lapsus$ methodology, particularly its reliance on social engineering, SIM swapping, MFA fatigue attacks and the recruitment of insiders. There were no further mainstream reports during 2024 of additional Rockstar-attributable dumps on the scale of the Christmas 2023 episode.
A notable 2025 footnote belongs in the aftermath section for completeness: on 1 January 2025 a Reddit user posted a photograph and two short videos that Eurogamer attributed, based on visible office surroundings, to Rockstar San Diego; the post was deleted, and Polygon's Ian Walker characterised it as "the worst leak of all time" because it revealed essentially nothing new (Wikipedia, 2025b).
On 6 May 2025, Rockstar released the second trailer for Grand Theft Auto VI, which formally introduced the full names of the protagonists Jason Duval and Lucia Caminos (Collins and Richardson, 2025; Wikipedia, 2025b). The trailer's opening sequence depicts Jason "just fixing some leaks". Coverage by PC Gamer, GamesRadar+ and TheGamer observed that many viewers and commentators read the line as a wry, knowing nod to the 2022 and 2023 leaks (Wikipedia, 2025b). The trailer itself was reported to have attracted over 475 million views across all platforms within 24 hours, eclipsing Deadpool & Wolverine as the biggest video launch on record at the time, before being surpassed in March 2026 by the first trailer for Spider-Man: Brand New Day (Wikipedia, 2025b). Within the same 6 May 2025 marketing push, Rockstar updated the official website with around 70 screenshots and a series of character and location descriptions (Wikipedia, 2025b).
Taken in aggregate, the publicly reported timeline tells a relatively coherent story rather than a series of disconnected incidents. The September 2022 intrusion sat within an ongoing Lapsus$ campaign that had already reached Nvidia, Samsung, Microsoft, Okta, Ubisoft and Uber; the same individual, while on bail and under police protection, used commodity consumer hardware to breach Rockstar; and the secondary dispersal of December 2023 occurred while the principal had just been handed an indefinite hospital order. The CSRB's mid-2023 review supplies the unifying technical and institutional frame: a small, loosely-organised, often juvenile crew, drawing on social engineering and SIM swapping rather than novel zero-day exploitation, repeatedly defeated mature corporate defences (CISA, 2023).
For the public reception of Grand Theft Auto VI itself, the timeline reshaped expectations in three durable ways. First, it changed what fans believed they "knew" about the game years ahead of its formal reveal, even though, as The Guardian noted at the time, the leaked footage was not representative of the final product (MacDonald, 2022). Secondly, it sharpened a tension within the development community between sympathy for Rockstar's staff and frustration at the way unfinished work was judged; Bleszinski, Druckmann, Ismail and Pearce were among those who publicly pushed back on the criticism (Wikipedia, 2025b). Thirdly, it provided Rockstar with a self-referential vocabulary it eventually chose to deploy: the 2025 "fixing leaks" line in Trailer 2 only lands because the audience has carried the leak narrative with it for three years. In that sense the timeline of leaks is now, paradoxically, part of the official marketing arc of the game.
The following items are speculative and are clearly labelled as such; they do not appear, in this form, in the mainstream reporting cited above.
These items are offered as speculation only and should not be relied upon as established fact.
Armughanuddin, M. (2023) 'Rumor: GTA 5 source code and other Rockstar files leak online', Game Rant, 25 December. Available at: https://gamerant.com/gta-5-source-code-leak/ (Accessed: 26 December 2023).
BBC (2022a) 'Lapsus$: two UK teenagers charged with hacking for gang', BBC News, 1 April. Available at: https://www.bbc.co.uk/news/technology-60953527 (Accessed: 14 May 2026).
BBC (2023) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
CISA (2023) Review of the attacks associated with Lapsus$ and associated threat groups. Washington, DC: US Government Cyber Safety Review Board. Available at: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf (Accessed: 11 August 2023).
Clark, M. (2022) 'Nvidia says its "proprietary information" is being leaked by hackers', The Verge, 1 March. Available at: https://www.theverge.com/2022/3/1/22957212/nvidia-confirms-hack-proprietary-information-lapsus (Accessed: 14 May 2026).
Collins, R. and Richardson, T. (2025) 'What have we learned from Grand Theft Auto 6's second trailer?', BBC News, 6 May. Available at: https://www.bbc.com/news/articles/c4g2grmrx4po (Accessed: 7 May 2025).
Gatlan, S. (2022) 'Brazil arrests suspect believed to be a Lapsus$ gang member', BleepingComputer, 19 October. Available at: https://www.bleepingcomputer.com/news/security/brazil-arrests-suspect-believed-to-be-a-lapsus-gang-member/ (Accessed: 27 December 2023).
Goodin, D. (2022) 'Cybercriminals who breached Nvidia issue one of the most unusual demands ever', Ars Technica, 4 March. Available at: https://arstechnica.com/information-technology/2022/03/cybercriminals-who-breached-nvidia-issue-one-of-the-most-unusual-demands-ever/ (Accessed: 14 March 2022).
Kan, M. (2022) 'Uber blames recent breach on LAPSUS$ hacking group', PCMag, 20 September. Available at: https://www.pcmag.com/news/uber-blames-recent-breach-on-lapsus-hacking-group (Accessed: 19 September 2022).
MacDonald, K. (2022) 'Rockstar owner issues takedowns after Grand Theft Auto VI leak', The Guardian, 19 September. Available at: https://www.theguardian.com/games/2022/sep/19/rockstar-owner-issues-takedowns-after-grand-theft-auto-vi-leak (Accessed: 20 September 2022).
Peters, J. (2022) 'Seven teenagers arrested in connection with the Lapsus$ hacking group', The Verge, 24 March. Available at: https://www.theverge.com/2022/3/24/22994563/lapsus-hacking-group-london-police-arrest-microsoft-nvidia (Accessed: 14 May 2026).
Reuters (2022) 'Uber says Lapsus$-linked hacker responsible for breach', Reuters, 19 September. Available at: https://www.reuters.com/business/autos-transportation/uber-says-hacker-working-with-lapsus-responsible-cybersecurity-incident-2022-09-19/ (Accessed: 17 September 2023).
Robinson, A. (2022) 'Uber "in contact with the FBI" over potential GTA 6 hacker', Video Games Chronicle, 19 September. Available at: https://www.videogameschronicle.com/news/uber-in-contact-with-the-fbi-over-potential-gta-6-hacker/ (Accessed: 20 September 2022).
Tidy, J. (2023a) 'Lapsus$: court finds teenagers carried out hacking spree', BBC News, 23 August. Available at: https://www.bbc.co.uk/news/technology-66549159 (Accessed: 23 August 2023).
Tidy, J. (2023b) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
Wikipedia (2025a) 'Lapsus__CONTENT__#39;, Wikipedia. Available at: https://en.wikipedia.org/wiki/Lapsus$ (Accessed: 14 May 2026).
Wikipedia (2025b) 'Grand Theft Auto VI', Wikipedia. Available at: https://en.wikipedia.org/wiki/Grand_Theft_Auto_VI (Accessed: 14 May 2026).